Posted
by
Soulskillon Sunday October 30, 2011 @08:18AM
from the here-is-a-list-of-my-favorite-socks dept.

Hasan M. Elahi writes in the NY Times about his run-in with the FBI several months after September 11th, 2001. They'd received an erroneous report that he had explosives and had fled the country, so they were surprised when he showed up at an airport and was flagged by watch-list software. Elahi chose not to fight the investigation, and provided the FBI with enough detail about his life to convince them that he was a lawful citizen. But then, he kept going, providing more and more information about his life, documenting his every move and making it available online. His experience has been that providing too much information affords almost the same privacy blanket as too little. Quoting:
"On my Web site, I compiled various databases that show the airports I’ve been in, food I’ve eaten at home, food I’ve eaten on the road, random hotel beds I’ve slept in, various parking lots off Interstate 80 that I parked in, empty train stations I saw, as well as very specific information like photos of the tacos I ate in Mexico City between July 5 and 7, and the toilets I used. ... A lot of work is required to thread together the thousands of available points of information. By putting everything about me out there, I am simultaneously telling everything and nothing about my life. Despite the barrage of information about me that is publicly available, I live a surprisingly private and anonymous life."

But if a suspect fellow is giving them access to everything he's supposedly doing I'd be trying real hard to find what he was trying to hide?

It's just you.

That said Mr.Elahi should not confuse lack of interest with privacy. It is a fallacy to believe that flooding information about yourself into the system makes it impossible to analyze in a timely fashion or to identify the things you don't willingly share. I'm not a huge privacy freak and in general don't care what you know about me as long as basic civil rights are still enforced by law (something that is starting to fail) but I'm also not stupid enough to believe that you can't figure out what I'm doing if you have almost everything. I just don't care that you know what I'm doing under the current system with my current lack of nefarious activity (this lack of interest will undoubtedly hurt me someday in some way though it will likely be minor and related to employment or income rather than incarceration).

Mr. Elahi seems to confuse the fact that the FBI may no longer care about his daily whereabouts with the fact that they can't sort through the data should every one do what he's doing. Will it be more difficult? yes, but it's not impossible. Google searches the web in near real-time using sophisticated indexing strategies and there is no reason to believe that the FBI couldn't do the same with people and publicly available information to obtain statistically meaningful deviations from normal behavior on your part which could then be referred for human followup. Defeating that type of strategy will take more than sharing almost everthing and hiding the little you you want. It will require a sophisticated disinformation algorithm to produce a statistically nominal profile with original media content while you perform nefarious activities in secret (or just have a beer, smoke, and watch porn in private after they've finished outlawing the last of our vices).

And with all this information, he's now a perfect target as someone to frame if a criminal happens to want to commit a high profile crime near one of his regular stops. Quintuply so now that he's publicized it.

Years ago I attended a few hacker meetings, like 2600. I always gave my real name; Though, it would have been safer if I gave someone else's real name. They always gave their handle. You know what those kids did right after getting your handle? They googled you on their wireless! And, if you had a unique handle, it was really easy to pull up information that was definitely yours. But what are you going to find when I tell you my name is George?
Specifics aside, the author of the article is talking about se

It depends what information you want someone not to be able to get. If you tell someone your name is "websoongi" then they might be able to find this post on Slashdot without any other information, but it's less likely that they can find your home address or social security number.

Whereas if you tell someone your name is "George" then they might not be able to find anything if that is all the information they have. But what if it isn't? If they have access to e.g. a mailing list roster and you're the only G

I'm currently in a class called internet investigations where we are doing exactly what is described. aggregating information about a target to build an accurate picture of who they are and what they're doing. We mainly use google (my professors words "Google has made the investigators life so much easier, 15 years ago you needed high level access to gather this kind of information, now it's just the right search terms")

At the moment the FBI doesn't care, but the minute they have some reason to suspect him

I just don't care that you know what I'm doing under the current system with my current lack of nefarious activity (this lack of interest will undoubtedly hurt me someday in some way though it will likely be minor and related to employment or income rather than incarceration).

I think that the reason that it is important to you is the same reason that it was important to let Larry Flynt continue to publish Penthouse. I have seen Penthouse a number of times, and it is not to my taste. That is not the same as saying that I would not have been harmed if Mr. Flynt had lost his case. My interest lies not in my right to free speech, I have nothing particularly controversial to say. My interest does not lie in protecting, specifically, Mr. Flynt's right to free expression, because I do not like what he has to say. My interest lies in protecting the right of people to say things that I do not like -- things I would not say and do not agree with.

Exactly. Flooding the FBI with information and hoping for privacy is like talking to the police and hoping for clemency. Everything in the fascinating "Why you shouldn't talk to the police" lecture (http://www.youtube.com/watch?v=6wXkI4t7nuc) applies here.

Because this guy has gone so far overboard with the whole thing, the FBI may have him on a completely different list now: Potential whack-jobs. Just because you don't think you're being watched doesn't mean you're not being watched. Hunters often use blinds to fool their prey. Also, let's see how safe this guy feels when some group of bored script-kiddies from 4chan decide to make his life miserable "just for the lulz", or some stalker gets fixated on him, or some identity thief decides he's too easy a mark

It is a fallacy to believe that flooding information about yourself into the system makes it impossible to analyze in a timely fashion or to identify the things you don't willingly share.

Indeed, what you need to do is flood the system with information about other people who are difficult to distinguish from you. Or rather change your name to John Smith and take advantage of an existing sea of irrelevant data.

There have been quite a few incidents of people with the same name as suspected terrorists being unable to fly, but it seems that it only happens when they have an asian name like Mohammed for some reason. It seems unlikely that the FBI would add John Smith to the list, but fortunately

All of this is obviously propaganda to encourage people to forfeit their privacy. Don't fall for it people.You're telling me the guy didn't mind being investigated and questioned for months? That he was ok with even taking polygraphs?You're telling me he had nothing better to do than to make a website about everything he did? And that we should all do the same thing?And how does putting information out there protect you in any way? Those who want to use the info for practical purposes can still get it. It o

The problem is if you're a criminal and you want to pin something on a sucker, if you have a dude with his life posted online then you can set the poor guy up. I wouldn't ever recommend posting every move you make to the internet because at some point someone will use it against you. This world is predatory in nature.

Especially because the FBI makes extensive use of well-paid criminal snitches to gather intelligence. If the snitches have no real leads, then they can manufacture them by saying that ol' Abu down the street is up to no good. The FBI then stalk and browbeat Abu until he admits that he is up to activity that may be considered support of terrorism in the loosest sense.

The FBI then busts Abu and all the mainstream media hail the "operation" as thwarting another terrorist attack. Another "terrorist" is jailed, the snitch is paid anywhere from hundreds to hundreds of thousands of dollars per year(I'm not joking, Google it), all while your family is eating ramen noodles for dinner.

Also keep in mind that all of these "terror plots" are manufactured in their entirety by the FBI. All they do is find a moron who is dumb enough to attempt to enact them, then they goad end entrap the poor fool.

Ethanol-fueld might overstate the case, slightly, but are you saying the FBI doesn't use criminal snitches? Are you claiming that snitches don't have motivation to manufacture stories when their actual value starts to dry up? Are you sure that the FBI doesn't draw a very blurry distinction between internet blow-hards, entrapment and actual criminal plots? Are you implying that the current level of FOX/MSNBC news coverage actually does do in-depth investigations of claims by government?

Facebook is probably more of an issue that what this guy is doing, because he's aware of how much info he has put out there.
90% of the people who do the same VIA Facebook don't realise how much aggregated info there is about them out there for sale.

The most valuable information on Facebook to anyone who wants to screw with you is your social network. Back in the 1950s you could be blacklisted out of your career if you were observed associating with a politically suspect person, but the FBI would have to do a fair amount of work to establish that. Now, it's as easy as a click of the mouse. You might be turned down for a job or promotion because of someone on your friends list, but you'll never know what the real reason was.

If you don't want to work for a bunch of jerks, you've never been long-term unemployed. Once you see the money run out and are reduced to begging your parents to be allowed to move into their basement, you'd work for a jerk and be happy doing so.

The cops, and especially the DA will, in many jurisdictions try to close as many cases as possible without resorting to any real investigation, in short, they will pin it on the first patsy that looks simple and poor enough to make it stick, ex-cons, the illiterate, the mentally challenged are all ready fodder for the young ADA to make his conviction rate go up so as to advance his/her career. Plea deals, coerced confessions, jinky evidence and judges with low blood sugar, lead us into being the largest in

It was a bribe, if you didn't pay it the ax would be used to saw, not chop, or the noose would strangle not break the neck, or the garrote would not be used prior to lighting the fire!

Governments are and have been the enemy of the common man! It is only in the past 50 years in a very few countries that there has been a movement towards a truly humane and democratic state that actually represents the interests of it's people.

A lot of work is required to thread together the thousands of available points of information.

No, it is not. Data-mining is real and getting better every day. Huge amounts of data are no hindrance. It is certainly not harder to find a specific piece of information about you just because you put much more online.

A lot of work is required to thread together the thousands of available points of information.

No, it is not. Data-mining is real and getting better every day. Huge amounts of data are no hindrance. It is certainly not harder to find a specific piece of information about you just because you put much more online.

It's a hot research area right now. As I'm on the job market myself, I've found gobs of academic and industry positions that are searching for candidates with a focus in "big data" and data mining. If information saturation is a problem today, you can be sure that tons of people are working hard to make sure that tomorrow it isn't.

Data mining is based on a single assumption, which if being false, collapses the whole utility of data mining. Data mining expects to get good input data.

That would depend entirely on the model and such a system of course wouldn't assume that. But it's much easier to positively confirm information than to find it.

Observe: "Today I ate at McDonald's and paid cash" although you were home and had Chinese take-away which you paid with a card.

Perhaps the simplest check would be to check your cell phone data, unless you sent a friend to McDonalds with it. Or if you were a person of interest we could pull up security cameras. We could question the employees. We can check the card company that you did in fact pay for Chinese take-away. It's just as much about finding who and when someone wo

I wanted to mod this up, cause I agree, but there's one point I haven't seen mentioned here or in most of the posts below (that I've read so far)...

If you do provide false information, and they (FBI) ask if it this little log of yours is true and you say "yes", then you can be held for lying to a federal officer (and/or obstruction of justice, etc). All they have to do is find one little line that isn't accurate... and that would probably be trivial. Then, even if your alibi is honest and someone is setting you up, you've just discounted your entire source of "facts" as inadmissible. They don't even need to find a lie to hint at the consequences - "You know... lying to a federal officer is a crime."

True story, I was questioned in relation to an FBI investigation many years ago (I worked at an ISP that had been "hacked" and claimed enormous damages and got the FBI involved). The night of the incident, I was drunk (along with most of my coworkers to boot). I was cooperating, but they found one of the things I said to be in conflict with something someone else said. They called us both in and had the company legal people there too, and he laid out the statements and then said that lying to a federal officer can get you N years in jail, etc etc.

I had told the truth, but with threats like that, I didn't want to talk to them at all anymore. We both fell back on "hey, I already told you I was very very drunk, and this is how I remember it." Nothing happened to us (except that we were soon fired without cause by an overly paranoid always-have-4-sources-of-white-noise-in-his-office owner), but a few people I knew had all their computers confiscated (included blank media, tv's, monitors, keyboards, etc), and they were completely innocent.

They even brought up the drunk thing, I assume trying to make me slip up... I had told them I drove back to the office as soon as I heard about the incident (as did everyone else). He's like, "So if you were supposedly very drunk, how did you drive back to the office?". I just shrugged and told "yep, both those things happened". He was nice enough not to use that as an admission of guilt and hand it over to the local policy to charge me with drunk driving, but he allowed the threat of that to hang in the air, so to speak.

Anyway, point being, whatever info you provide will likely be used against you, even if it's just as a threat to try to get more out of you. And you don't have to be guilty of what they're looking for to end up with some significant negative consequences.

FWIW, I wouldn't change a single thing I did. Getting fired from there was one of the best things that ever could have happened to me in the long run.

Reading your post my thought was that the FBI agents were bullshitting you about "lying to a federal officer can get you N years in jail, etc etc" as cops like to lie. Unbelievably America actually has a law against lying to a federal officer, not lying to obstruct justice or commit fraud but just lying.http://en.wikipedia.org/wiki/Making_false_statements [wikipedia.org]

The fact is not that he ate McD's and paid cash.. the fact is that he announced that he ate at McD's and paid cash. The group that announces that very thing can be statistically modeled regardless of the veracity rate of the announcement.

When millions of people are making announcements, the models become extremely good. You and a hundred thousand other people have made that announcement and it turns out that there will be a strong correlation between that announcement and other facts about the gr

Interesting thought, but I don't think it's a good idea. Volunteering everything might work as long as there are very few people doing it -- but if everyone starts doing it, it then (i) the feds will focus on improving software that automatically filters out suspicious traits from the online data, and (ii) not sharing everything will be deemed suspicious.

Interesting thought, but I don't think it's a good idea. Volunteering everything might work as long as there are very few people doing it -- but if everyone starts doing it, it then (i) the feds will focus on improving software that automatically filters out suspicious traits from the online data, and (ii) not sharing everything will be deemed suspicious.

If any of us got enough RL interaction we'd be out getting laid, not trolling this place. It stopped being a useful primary location for news and stuff that matters a long time ago.

I beg to differ. I often see stories posted on other sites pointing to a story hosted on/. Very often (though, of course, not always) the first time I hear about something it's thanks to a story on/.

Besides that, there is some value in that touchy-feely concept "community." People here know and care about stuff that many of my knowledgeable RL friends are oblivious to. Many of the latter have never heard of, nor would care about things like dmr, Righthaven, DMCA, Region Encoding, & etc.

Yeah - agreed. This is the argument the police use to justify warrantless searches: "If you are not doing anything wrong, what do you have to hide?" The point is not what I have to hide...the point is that I own myself, that I have an actual constitutional right to not be searched and tracked without a warrant, and just because your douche-bag policy attitude gets offended when I exercise these rights, it doesn't make them less real.

Actually, the top statement is true. The real problem is that what with the ton of idiotic laws we have, almost every person is surely doing *something* illegal, often enough not even knowing about it.

Yeah, this strikes me as a rather dumb thing to do. It probably works well as long as you're dealing with ethical agents who are interested in finding truth and just as happy to clear an innocent citizen, but that doesn't describe all of them. There's also this notion of circumstantial evidence that has an unfortunately high value in court (as in not zero like it should). If this guys travels happened to mirror some terrorist, odds are he wouldn't be out in the fresh air writing about this experience.

Actually, no, since he makes a point that the data can only be accessed in a user unfriendly manner. The info is there, but you have to invest time in extracting it. FaceTweetSquare package your life up and sell it in a much more easily marketable fashion. So he's actually much better off.

If you generate a constant stream of bad data, the cost of separating good data from bad will rise. This in turn will encourage law enforcement, who get rewarded for convictions in the least amount of time and have other cases they can pursue, to move on to the next case.

This is only true if you supply that stream of bad data into all the channels, the other side has to get data about you.In this case, they know that everything on his site might be fake. So they might have to use other channels to cross-check it. But he can only influence the data on his website, not the other means the FBI has to get data about him.So in the end, at worst the FBI is exactly as good off, as if he had not supplied data at all. But it is more likely, that the combined data from all channels w

How long before such data generation is available as a purchasable service? Either buy one fake online life in monthly installments, or buy the bulk pack - eighteen online lives, each of which might plausibly be about you, but which are inconsistent with each other.

What I want to know is how he knows that he lives a private life?And why he thinks it is so hard for anyone to find out anything about him simply because they is more then average out there.Even if all the data is in untaged pictures there more then a few ways to process it.

Yup, there is a whole wing in the FBI HQ dedicated to tracking his every move. One of these days they will grab him again and then he'll have to explain why he changed his routine from Taco Bell to McDonalds on 23 October 2011...

This guy is pretty ignorant about what is possible with computers. If everyone made every detail of their lives available in a digital format, the FBI would be thrilled and could probably cut jobs instead of needing to hire more employees.

The only way this would be an idea even worth entertaining would be if you treat it like you're writing a book based upon your life. Include the least amount of verifiable information as possible to make it seem accurate and then fill the rest with the most outlandish thin

Yup. You would have to make it have a bad signal to noise ratio. Tell the truth about the things that are obviously verifiable, tell lies about everything in between in such a way that it's still plausible, and keep in straight in your head so they don't catch you in the lie when they question you about it later. And even then, your algorithm for generating the lies better be practically flawless or they'll find something like "you can't get across town in an hour" or something and the whole system comes

Yup. You would have to make it have a bad signal to noise ratio. Tell the truth about the things that are obviously verifiable, tell lies about everything in between in such a way that it's still plausible, and keep in straight in your head so they don't catch you in the lie when they question you about it later. And even then, your algorithm for generating the lies better be practically flawless or they'll find something like "you can't get across town in an hour" or something and the whole system comes crashing down.

I've read a few research papers that propose this to provide privacy in a social networking type scenario. Basically, the "lies" are drawn from the population trends and applied to each individual. That way, individual data is obfuscated while still preserving whatever trend the data is used to represent. They even create fake users based on these general trends so that nobody who is looking through the data can tell if an individual is a real person or a fake one.

His assumptions about the nature of information sharing and privacy are dangerously wrong.

The problem of information sharing is inequity; if it turns out that he documents his presence at a laundromat on some random dull October day, and later it turns out that some terrorists used to meet up there, his documentation of that random laundromat appearance will put him under scrutiny all over again - without any concrete reason. Meanwhile, some other fellow who rode his bike and paid with cash and didn't document his life on the web will probably never be scrutinized.

There is a fundamental issue with all mass intelligence/data collection: Humans don't understand conditional probabilities.

When we start to use large databases of essentially random data to inform investigations, we greatly increase the likelihood that investigations impact random people.

FTFA:"I COULD have contested the legality of the investigation and gotten a lawyer. But I thought that would make things messier. It was clear who had the power in this situation."

No, American police, whether FBI or state or local, have no power unless you let them interrogate you without a lawyer. This isn't Europe where police investigations start with a beating: you just have to ask, politely, for a lawyer, and you hold all the cards.

He gave them all the power. Was he justifiably scared? Sure, I can completely understand that. He probably wasn't prepared to be grilled.

But this is all the preparation anyone needs: just remember to say, "I'd be happy to help you, officer, but to answer any questions I'll need a lawyer."

You mean, the US police are nothing like the police in any of the twenty-ish countries that make up loosely-defined Europe - you are right. Most citizens in most countries of Europe are not frightened of their own police.

This isn't Europe where police investigations start with a beating: you just have to ask, politely, for a lawyer, and you hold all the cards.

This may have to do with the police not being as afraid of the citizens' carrying a gun, and thus not treating citizens as criminals-until-proven-innocent. Having been stopped by traffic police while visiting the US, my experience of being treated as a criminal was not nice at all; in my n

Why would any information on a blog be taken as 100% truth? Since you can edit photo meta-data there is no way to prove when a photo was taken, where it was taken, by whom it was taken, or what camera it was taken with; all of this data can be spoofed. Combine falsified photos with an elaborate story about your whereabouts and make a post on your blog through a vpn from your phone so it looks like you were at home when you posted it. If you're doing this on a regular basis then it wouldn't be hard to create a semi-automatic system to do most of this work for you.

Are we to believe that an investigative authority such as the FBI is going to simply take someones electronic word for it?

Only because three letter agencies do not have optimized there Hadoop instances yet does not mean your data will not get analyzed soon.
There is only on reliant way of protecting your privacy and that is to not leave too many trails. Period.

Has anyone actually looked over his data [trackingtransience.net] to see how easily mined it could be, by average folk or dedicated institutions? We can't begin to fully judge his claims of privacy through difficulty decoding until we've seen his technique.

I've glimpsed at his data, his photos, and it doesn't seem like it would be that difficult to build a system to suck it up and index it. I'm kind of surprised Google hasn't made it trivial to search already. E.g., "september 23 site:trackingtransience.net". Or, putatively, "f

The idea of flooding the data collectors with valid but irrelevant information is clever and good, but it may backfire. Any gaps will be painfully obvious and if you have one at the exact time something goes down, it makes you even more of a suspect because - if you document everything EXCEPT at this particular time... well, then you probably were doing something you shouldn't...

The classic information flood is the inclusion of certain words in phonecalls, emails and so on - just mess with Echelon and simil

Not even intentional gaps... I had a friend who was going through a messy period with his wife, and she made him turn on tracking on his phone so she could watch him. We had to make a lunch run to a place where the lunch room was in a sub-basement. While we are there he takes out his phone...and the GPS says we are several towns away.... within minutes he gets a phone call about it.

Other times, I have seen my own GPS mess up and have me over 1000 miles from here. So.... your gps data, that you are compiling

And this makes it harder to find him out than not supplying any info at all... how?If the info is false, you might find conflicting facts in it. Data that might be true is certainly better than no data at all, when trying to figure something out.

I thought "core dump" was what Unix people do when they spend a bit longer on the toilet, but OK.

I'd call it building a bigger haystack, which, ironically, is a continuation of what the TSA and NSA have been doing all along (the latter by taking feeds from Facebook and Google).

He's right: they won't find anything. Even if he was doing something really bad, he's hit on another reason why the desire for so much data exists: it only ever serves to prove bad intentions AFTER the crime. Sifting through a delug

Suspicion is fueled by ignorance - something seems scary when it is only half-visible. This man's strategy was, in part, to illuminate that previously invisible half.

The scary thing here is that he felt compelled to use this unorthodox strategy to long-term prove his innocence. What happened to "innocent until proven guilty?" How comes everyone is now considered suspect, until he gets a clean bill of innocence by some partially obscure 3 letter agencies? I wouldn't spend as much time discussing "public pr